Task 1

Task 2

Maintain Bank
Master Data

AP Payments

Maintain Asset
Document

Process Vendor
Invoices

Maintain Asset
Document

Goods Receipts to
PO

Cash Application

Bank Reconciliation

Maintain Asset
Master

Goods Receipts to
PO

Process Overhead
Postings

Settle Projects

Maintain Projects
Settle Projects
and WBS Elements

Maintain Projects
Process Overhead
and WBS Elements Postings

Maintain Bank
Master Data

Cash Application

Maintain Bank
Master Data

Manual Check
Processing

Create / Change
Treasury Item

Confirm a Treasury
Trade

Goods Movements Enter Counts - WM

Goods Movements Enter Counts - IM

Goods Movements

Enter Counts & Clear

Diff - IM

Vendor Master
Maintenance

Process Vendor
Invoices

AP Payments

Vendor Master
Maintenance

Process Vendor
Invoices

AP Payments

Maintain Purchase
Order

Process Vendor
Invoices

Maintain Purchase
Order

Goods Receipts to
PO

Process Vendor
Invoices

Goods Receipts to
PO

Maintain Purchase
Order

AP Payments

Vendor Master
Maintenance

Maintain Purchase
Order

Maintain Purchase
Order

Enter Counts & Clear

Diff - IM

Bank Reconciliation

Process Vendor
Invoices

Service Acceptance AP Payments

PO Approval

Goods Receipts to
PO

PO Approval

AP Payments

PO Approval

Process Vendor
Invoices

PO Approval

Enter Counts - IM

PO Approval

Vendor Master
Maintenance

AP Payments

Purchasing
Agreements

Vendor Master
Maintenance

Purchasing
Agreements

Purchasing
Agreements

Goods Receipts to
PO

Process Vendor
Invoices

Purchasing
Agreements

AP Payments

Service Master
Maintenance

AP Payments

Bank Reconciliation

Maintain Purchase
Order

Enter Counts - IM

Maintain Purchase
Order

Enter Counts - WM

PO Approval

Enter Counts & Clear

Diff - IM

PO Approval

Enter Counts - WM

Manual Check
Processing

Vendor Master
Maintenance

Process Vendor
Invoices

Manual Check
Processing

Maintain Purchase
Order

Manual Check
Processing

Service Acceptance

Manual Check
Processing

PO Approval

Manual Check
Processing

Manual Check
Processing

Purchasing
Agreements

Manual Check
Processing

Service Master
Maintenance

Manual Check
Processing

Bank Reconciliation

Maintain Purchase
Order

PO Approval

Credit Management

Sales Order
Processing

Sales Order
Processing

Clear Customer
Balance

Sales Order
Processing

Maintain Customer
Master Data

Maintain Customer Process Customer

Master Data
Invoices

Maintain Customer
Sales Rebates
Master Data

Clear Customer
Balance

Maintain Billing
Documents

Sales Order
Processing

Maintain Billing
Documents

Credit Management Sales Rebates

Cash Application

Maintain Billing
Documents

Maintain Customer
AR Payments
Master Data

Process Customer
Credit Memos

AR Payments

Cash Application

Sales Document
Release

Sales Order
Processing

Delivery Processing

Process Customer
Invoices

Sales Pricing
Condition

Sales Order
Processing

Sales Pricing
Condition

Credit Management Cash Application

Cash Application

Sales Rebates

Cash Application

Maintain Customer
Master Data

Process Customer
Invoices

Credit Management

Maintain Billing
Documents

Sales Pricing
Condition

Maintain Customer Clear Customer

Master Data
Balance

Maintain Customer Maintain Billing

Master Data
Documents

Cash Application

Process Customer
Invoices

Delivery Processing Cash Application

Sales Order
Processing

Process Customer
Invoices

Clear Customer
Balance

Process Customer
Credit Memos

Maintain Employee
(PA) Master Data - Process Payroll
0008 - 0009 (

HR Benefits

Process Payroll

3rd Party
Remittance

HR Vendor Data

Maintain Time Data Approve Time

Maintain Time Data Process Payroll

Maintain Payroll
Configuration

Process Payroll

Maintain Employee
Maintain Payroll
(PA) Master Data Configuration
0008 - 0009 (

Maintain Employee
Modify PD Structure (PA) Master Data 0008 - 0009 (

Maintain Time Data Payroll Maintenance

Payroll Maintenance Process Payroll

Maintain Payroll
Configuration

Payroll Maintenance

Maintain Time Data

Maintain Payroll
Configuration

Maintain Time Data Modify PD Structure

Maintain Employee
(PA) Master Data - Maintain Time Data
0008 - 0009 (

Maintain Employee
(PA) Master Data - Payroll Maintenance
0008 - 0009 (

Payroll Schemas

Maintain Time Data

Basis Development Configuration

Basis Development

Transport
Administration

Basis Utilities

Configuration

Basis Utilities

Transport
Administration

Basis Table
Maintenance

System
Administration

Basis Table
Maintenance

Client Administration

Security
Administration

Client Administration

Security
Administration

Transport
Administration

Create Transport

Perform Transport

Maintain Number
Ranges

System
Administration

Maintain User
Master

Maintain Profiles /
Roles

APO Maintain
Model

APO Supply &

Demand Planning

APO Model &

Version
Management

APO Supply &

Demand Planning

APO active version)

APO Supply &

Demand Planning

APO Define
Advanced Macros

APO Supply &

Demand Planning

Maintain Business
Partner

Process CRM Sales

Order

Process CRM Sales

Delivery Processing
Order

Process CRM Sales

CRM Billing
Order

Process CRM Sales Maintain Billing

Order
Documents

Service Order
Processing

Service Confirmation

CRM Billing

Maintain Business
Partner

Maintain Billing
Documents

Maintain Business
Partner

Service
Confirmation

CRM Billing

Service
Confirmation

Maintain Billing
Documents

Process Credit
Memo

CRM Billing

Process Credit
Memo

Maintain Billing
Documents

Process Customer
Invoices

Maintain Conditions

Process CRM Sales

Maintain Conditions
Order
Maintain
Opportunity

Process Payroll

Service Order
Processing

Process Payroll

Process CRM Sales

Process Payroll
Order

EBP / SRM Vendor

EBP / SRM Invoicing
Master

EBP / SRM
Purchasing

EBP / SRM Invoicing

EBP / SRM
Purchasing

EBP / SRM Goods

Receipt/Service
Acceptance

EBP / SRM
Invoicing

EBP / SRM Goods

Receipt/Service
Acceptance

EBP / SRM Vendor EBP / SRM

Master
Purchasing

Bank Reconciliation EBP / SRM Invoicing

EBP / SRM Goods

Receipt/Service
Acceptance

Enter Counts - WM

EBP / SRM Goods

Receipt/Service
Acceptance

Enter Counts - IM

EBP / SRM Goods

Receipt/Service
Acceptance

Enter Counts & Clear

Diff - IM

EBP / SRM
Purchasing

Goods Receipts to
PO

EBP / SRM
Purchasing

Service Acceptance

EBP / SRM PO
Approval

Goods Receipts to
PO

EBP / SRM
Purchasing

EBP / SRM PO
Approval

EBP / SRM Vendor EBP / SRM PO

Master
Approval

EBP / SRM
Purchasing

EBP / SRM Maintain

Org Structure

EBP / SRM Vendor EBP / SRM Maintain

Master
Org Structure

EBP / SRM Maintain EBP / SRM PO

Shopping Cart
Approval

Maintain Hierarchies AP Payments

Maintain Hierarchies

Process Vendor
Invoices

Maintain Hierarchies

Manual Check
Processing

Maintain Hierarchies Cash Application

Maintain Hierarchies

Process Customer
Invoices

Maintain Hierarchies

Maintain Cost
Centers

Maintain Hierarchies

Maintain Asset
Document

Maintain Hierarchies

Maintain Asset
Master

Maintain Hierarchies Revenue Reposting

Maintain Hierarchies Post Journal Entry

Maintain Hierarchies

Maintain GL Master
Data

Maintain Hierarchies

Post Journal Entry

(misc Tax/Currency)

Maintain Hierarchies

Vendor Master
Maintenance

Maintain Hierarchies

Maintain Customer
Master Data

Description of Risk
Create a non bona-fide bank account and create a check from it.

Pay an invoice and hide it in an asset that would be depreciated over time.

Create an invoice through ERS goods receipt and hide it in an asset that would be depreciated
over time.

Allows differences between cash deposited and cash collections posted to be covered up

Create the asset and manipulate the receipt of the associated asset.

Post overhead expenses to the project and settle the project without going through the
settlement approval process.

Use a fictitious project to allocate overages of an actual project, and settle the project without
going through the settlement approval process.

Manipulate the work breakdown structure elements (profit centers, business areas, cost centers,
plants) and post overhead expenses to the project

Maintain a non bona-fide bank account and divert incoming payments to it.

Create a non bona-fide bank account and create manual checks from it

Users can create a fictitious trade and fraudulently confirm or exercise the trade

Accept goods via goods receipts and perform a WM physical inventory adjustment afterwards.

Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.

Accept goods via goods receipts and perform an IM physical inventory adjustment afterwards.

Maintain a fictitious vendor and enter a Vendor invoice for automatic payment

Maintain a fictitious vendor and create a payment to that vendor

Enter fictitious vendor invoices and then render payment to the vendor

Purchase unauthorized items and initiate payment by invoicing

Enter fictitious purchase orders for personal use and accept the goods through goods receipt

Enter fictitious vendor invoices and accept the goods via goods receipt

Enter a fictitious purchase order and enter the covering payment

Create a fictitious vendor and initiate purchases to that vendor

Inappropriately procure an item and manipulating the IM physical inventory counts to hide.

Can hide differences between bank payments & posted AP records

Receive or accept services and enter the covering payments

Approve the purchase of unauthorized goods and hide the misuse of inventory by not fully
receiving the order
Commit the company to fraudulent purchase contracts and initiate payment for unauthorized
goods and services.

Release a non bona-fide purchase order and initiate payment for the order by entering invoices

Release a non bona-fide purchase order and the action remain undetected by manipulating the
IM physical inventory counts

Create a fictitious vendor or change existing vendor master data and approve purchases to this
vendor

Enter fictitious purchasing agreements and then render payment

Risk of entry of fictitious Purchasing Agreements and the entry of fictitious Vendor or
modification of existing Vendor especially account data.

Modify purchasing agreements and then receive goods for fraudulent purposes.

Enter unauthorized items to a purchasing agreement and create an invoice to obtain those items
for personal use

Risk of modifying service master data (to add a service that is normally not ordered by the
company) and the entry of covering payments

Risk of entering unauthorized payments and reconcile with the bank through the same person.

Inappropriately procure an item and manipulating the IM physical inventory counts to hide.

Inappropriately procure an item and manipulating the WM physical inventory counts to hide.

Release a non bona-fide purchase order and the action remain undetected by manipulating the
IM physical inventory counts

Release a non bona-fide purchase order and the action remain undetected by manipulating the
WM physical inventory counts

Maintain a fictitious vendor and create a payment to that vendor

Enter fictitious vendor invoices and then render payment to the vendor

Enter a fictitious purchase order and enter the covering payment

Receive or accept services and manually enter the covering check payments

Commit the company to fraudulent purchases and initiate manual check payments for
unauthorized goods and services.

Enter fictitious purchasing agreements and then render manual checks for payment

Risk of modifying service master data (to add a service that is normally not ordered by the
company) and the entry of covering payments

Risk of entering unauthorized manual payments and reconcile with the bank through the same
person.

Where release strategies are utilized, the same user should not maintain the purchase order and
release or approve it.

Enter or modify sales documents and approve customer credit limits

Create sales documents and immediately clear customer's obligation

Create a fictitious customer and initiate fraudulent sales document

Make an unauthorized change to the master record (payment terms, tolerance level) in favor of
the customer and enter an inappropriate invoice.

Inappropriately create or change rebate agreements and manage a customer's master record in
the favor of the customer. Could also change a customer's master record to direct payment to
an inappropriate location.

Potentially clear a customer's balance before and create or make the same change to the billing
document for the same customer, clearing them of their obligation.

Inappropriately create or change a sales documents and generate a corresponding billing

document for it.

Manipulate the user's credit limit and assign generous rebates to execute a marginal customer's
order.

Create a billing document for a customer and inappropriately post a payment from the same
customer to conceal non-payment.

Create a fictitious customer and initiate payment to the unauthorized customer.

Initiate an unauthorized payment to the customer by entering fictitious credit memos.

Change the accounts receivable records to cover differences with customer statements.

Cover up unauthorized shipment by creating a fictitious sales documents

Sales price modifications for sales invoicing.

Enter sales documents and lower prices for fraudulent gain

Perform credit approval function and modify cash received for fraudulent purposes.

Enter a fictitious sales rebates and then render fictitious payments.

Risk of the same person entering changes to the Customer Master file and modifying the Cash
Received for the customer.

Risk of modifying and entering Sales Invoices and approving Credit Limits by the same person.

Risk of Sales Price modifications for Sales invoicing.

Maintain a customer master record and post a fraudulent payment against it

User can create a fictitious customer and then issue invoices to the customer.

User can create/change an invoice and enter/change payments against the invoice.

User can create fictitious/incorrect delivery and enter payments against these, potentially
misappropriating goods.

User able to create a fraudulent sales contract to include additional goods and enter an incorrect
customer invoice to hide the deception.

Create a credit memo then clear the customer to prompt a payment.

Modify payroll master data and then process payroll. Potential for fraudulent activity.

Change employee HR Benefits then process payroll without authorization. Potential for
fraudulent activity.
Change to master data and creating the remittance could result in fraudulent payments.

Change payroll master data and enter time data applied to incorrect settings.

Modify time data and process payroll resulting in fraudulent payments

Change configuration of payroll then process payroll resulting in fraudulent payments

Change configuration of payroll then modify payroll master data resulting in fraudulent payments

Change payroll master data and modify PD Structure

Enter false time data and perform payroll maintenance.

Change payroll and process payroll without proper authorization.

Change payroll configuration and perform maintenance on payroll settings.

Modify payroll configuration and enter false time data.

Enter false time data and maintain PD structure

Users may enter false time data and process payroll resulting in fraudulent payments.

Users may maintain employee master data including pay rates and delete the payroll result

Users may enter false time data and perform work schedule evaluations

A developer could modify an existing program in production, perform traces to the program and
configure the production environment to limit monitoring of the program run by increasing alarm
thresholds and eliminating audit trails through external OS comma

A developer could create or modify a program in production and force the transport of these
changes after the fact to conceal irregular development practices. This also enables the
reverting back to the program's original version without any trace of the changes made in
production.

A developer could modify program components (menus, screen layout, messages, queries) and
configure the production environment to limit monitoring of the program runs using the modified
program components by increasing alarm thresholds and eliminating audit trail

A developer could modify program components (menus, screen layout, messages, queries) and
force the transport of these changes after the fact to conceal irregular development practices.
This also enables the reverting back to the program components origin

An individual could modify data in tables or modify valid configuration values and setup the
production environment to run transactions and programs using the inappropriately modified
data. This could affect data integrity, system performance, and proper
An individual could modify data in tables or change valid configuration and replicate these
changes to other clients. This is particularly sensitive if client administration transactions come
with client-independent authorization allowing the developer to
An individual could inappropriately modify roles and assignments and reflect this change to the
production's mirror copy eliminating the chance to revert to the appropriate setup.
A security administrator could make inappropriate changes to unauthorized security roles,
transport them, and assign them to a fictitious user for execution.
Can create transports, add objects to the transport, and move the transport: Can put
unauthorized object changes into production, bypassing the Change Control process.

Can reset the number ranges (1) and delete your log/audit trail (2).

One person controlling both the access in the profile/role and the user Ids increases the risk of
inappropriate access
Unauthorized maintenance of planning model and version may adversely impact the production
planning data stored in APO. This transaction should be limited to selected demand planning
super user or manager.

Unauthorized deletion of active planning version may adversely impact the production planning
data stored in APO. This transaction should be limited to selected demand planning super user
or manager.

Unauthorized maintenance of planning model and version may adversely impact the production
planning data stored in APO. This transaction should be limited to selected demand planning
super user or manager.
Access to maintain macros/rules should be controlled via change management process.
Unsupported or incorrect adjustments are made to the macros/rules may result in inaccurate
production planning and production scheduling.

A user could create a fictitious business partner and initiate fraudulent sales orders for that
partner. Master data such as business partners should not be maintained by the same users
who process transactions using that master data.

A user could create a fictitious sales order to cover up an unauthorized shipment.

Inappropriately create or change sales documents and generate the corresponding billing
document in CRM.

Inappropriately create or change sales documents and generate the corresponding billing
document in R3.

Enter fictitious service orders for personal use and accept the services through service
acceptance. The user could prompt fraudulent payments. In addition spare parts could be
fraudulently issued from inventory as a result of the confirmation.

User can create a fictitious business partner and then process billing in CRM for that partner.

User can create a fictitious business partner and then process billing in R3 for that partner.

Inappropriately accept or confirm a service order and generate a corresponding billing document
in CRM for the order.

Inappropriately accept or confirm a service order and generate a corresponding billing document
in R3 for the order.

User could create a fictitious credit memo and run billing due in CRM to prompt a payment to a
customer. The customer could provide a kickback to the internal user.

User could create a fictitious credit memo and run billing due in R3 to prompt a payment to a
customer. The customer could provide a kickback to the internal user.

Pricing conditions could be manipulated to provide inappropriate discounts or incentives to

customers which will be realized in an incorrect invoice.

A user could enter a sales order in CRM and lower prices via conditions for fraudulent gain

Commission or Incentives may be paid based on the number of qualified leads. Inappropriately
qualified leads could result in fraudulent commission payments.

Commission or Incentives may be paid based on the number of service orders.

orders could be entered to achieve higher sales for commissions.

Fraudulent

Commission or Incentives may be paid based on the number of sales orders. Fraudulent orders
could be entered to achieve higher sales reporting for commissions.

Maintain a fictitious vendor and enter an invoice to be included in the automatic payment run

Purchase unauthorized items and prompt the payment by invoicing

Enter fictitious orders for personal use and accept the goods or services through goods receipt
or service acceptance

Enter fictitious invoices and accept goods or services via goods receipt or service acceptance

Maintain a fictitious vendor and initiate purchases to that vendor.

A user can hide differences between bank payments and posted AP records.

Accept goods via SRM goods receipts and perform a WM physical inventory adjustment
afterwards.

Accept goods via SRM goods receipts and perform IM physical inventory adjustment afterwards.

Accept goods via SRM goods receipts and perform IM physical inventory adjustment afterwards
using powerful IM transactions

Enter fictitious orders for personal use and access the goods or services through goods receipt

Enter fictitious orders for personal use and access the goods or services through service
acceptance

Approve the purchase of unauthorized goods and hide the misuse of inventory by not fully
receiving the order in R3

Where release strategies are utilized, the same user should not maintain the purchase order and
release or approve it.

Create a fictitious vendor or change existing vendor master data and approve purchases to this
vendor

Enter fictitious orders for personal use and manipulate the organizational structure to bypass
approvals

Create or maintain fictitious vendor and manipulate the organizational structure to bypass
approvals or secondary checks

Initiate purchases to selecting goods to be included in a shopping cart then approving the
purchase

AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output

AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output

AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output

AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output
AP/AR/GL master data creation and posting functions in conjunction with payment processing,
receipt of money, GL account access; and the ability to modify ECCS hierarchy and reporting
output